Criminals might have accessed the personal and medical information of 30,000 Florida Medicaid recipients via a successful phishing attack.
On 2 January 2018, Florida's Agency for Health Care Administration (Agency) received the preliminary findings of a review launched by the state's Inspector General. The review analyzed a malicious phishing email for which an employee at the Agency had fallen on 15 November 2017. Its purpose was to determine if the attack exposed protected health information (PHI). The Agency learned of the incident five days after its occurrence and then notified Florida's Inspector General. It also verified that its employee changed their login credentials to prevent future unauthorized access. Florida's Agency for Health Care Administration shares what types of information the attack might have compromised in a statement (PDF) posted to its website:
It is possible that Medicaid enrollees’ full names, Medicaid ID numbers, dates of birth, address, diagnoses, medical conditions or Social Security numbers were accessed in part or full. At this time, the Agency believes it is possible that the personal information of up to 30,000 individuals may have been partially or fully accessed. Although the review is ongoing, the Agency believes that only approximately 6 percent of these individuals could be confirmed as having their Medicaid ID or social security numbers potentially accessed.
Following its discovery of the potential breach, the Agency conducted a review of its IT systems to learn more about how the incident occurred. It also instituted a new security training program for all employees. Florida's Inspector General has yet to release its full review of the phishing attack. While it awaits those findings, the Agency for Health Care Administration has decided to notify all potentially affected Medicaid recipients about the breach and to provide them with one year of free membership in Experian's IdentityWorks program. Those concerned can learn more about the breach and the Agency's response by calling 1-844-749-8327. As Endgadget's Jon Fingas rightly notes, this incident illustrates the fragility of many organizations' medical systems. It should therefore serve as a reminder to all companies that they must take steps to maintain the security of their electronic medical record systems. For information on how Tripwire can help in this regard, click here.
